CVE-2026-6915 MEDIUM

CVE-2026-6915: Flaw in the updateUser Command May Allow Unauthorized Configuration Change

Vendor Mongodb
Product MongoDB Server
Weakness CWE-1284
Published April 29, 2026
Last update April 29, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.

Key dates

02Disclosure timeline

April 29, 2026 CVE published
April 29, 2026 Record updated